Our Commitment to Security

data security


You may have heard recently about the Supreme Court case, Facebook v. Duguid which has relevance to P2P calling and texting programs. We have compiled a few key questions here, and will update this page as more information becomes available.

What does the ruling say?

For our clients, the central question this case weighs is whether you can text or call a cell phone without prior express permission (aka opt-in). The law that governs this question is the Telephone Consumer Protection Act (TCPA). The TCPA says that you cannot use an automatic telephone dialing system (ATDS) to contact cell phones without prior consent. So, the question has always been — what defines an ATDS?

Over the years, various courts have answered that question differently. The FCC, whose job it is to set rules based on the TCPA, recently ruled that the line in the sand was human intervention. Both ThruText and ThruTalk use human intervention to initiate every call or text, so we were always on the non-ATDS side of that line.

With this recent ruling, the Supreme Court has handed down an even narrower definition of an ATDS. Following the plain language of the statute, the Court ruled that a system only qualifies as an ATDS if it can call using random and sequential number generation, meaning picking strings of numbers randomly or in order on its own and then dialing them. Here’s the language from the ruling:  

To qualify as an “automatic telephone dialing system” under the TCPA, a device must have the capacity either to store a telephone number using a random or sequential number generator, or to produce a telephone number using a random or sequential number generator.

What does this mean for GetThru clients

ThruText and ThruTalk do not have, and have never had, the capacity to do random or sequential number generation. So by both the FCC’s test of human intervention and the Supreme Court’s test of random and sequential number generation, ThruText and ThruTalk do not qualify as an ATDS.

How does this affect my calling/texting program?

The headline here is that it doesn’t. There is now no question that ThruText and ThruTalk do not fit the definition of an Automated Telephone Dialing System, and as such they can be legally used to contact cell phones without prior express consent.    

What outstanding questions remain?

This ruling is still fairly recent, and there are still many outstanding questions about its implications.

For a good list of open questions, check out this post. We will be monitoring developments closely and will provide updates as we have them. 

Is this related to 10DLC?

Not directly, but we’re glad you asked! 10DLC is a new system that carriers like AT&T and T-Mobile are using to route text messages in order to protect the SMS channel from junk/spam texts. The Supreme Court ruling referenced is an interpretation of the TCPA’s rules for what technology can be used to contact cell phones.  

If you’re curious to learn more about 10DLC, you can see our FAQ on that here.

How can I stay up to date with developments?

Not only will this page be updated as we know more, we’ll also let you know about those updates through our Twitter and Facebook pages. You can also check out our most recent blog post.


We’ve compiled some frequently asked questions and information on 10DLC and will continue to keep this page updated as new information becomes available! Have a question about 10DLC that you don’t see here? Drop us a line here.

What is 10DLC?

10DLC stands for “10-digit long code”, or the phone numbers that ThruText uses to send personalized messages to individual people and is being used shorthand for a new system that carriers (like AT&T, Verizon, etc.) are implementing to protect the SMS channel from spam and junkmessagesg. We’ve compiled a more thorough dive into 10DLC here.

How will this affect ThruText clients?

All new and existing ThruText clients will need to designate an Account Owner to complete both Brand and Use Case registration on their behalf. Completion of these steps is a requirement to begin your texting program. You can find more information here:

What is GetThru doing?

We’re taking the necessary steps on our end to be in compliance with these changes so our clients can text with confidence. We’re an official “Campaign Service Provider” with The Campaign Registry, which means we can help our customers become compliant with the new 10DLC system.

Additionally, we put together a best practices guide for keeping your texting program going strong while avoiding complaints.

What's next?

We’ll share more updates as they come on concrete steps to take, deadlines, and any other news you can use primarily via our email newsletter for existing clients. To stay in the loop with us, you can follow us on Twitter, Facebook, or visit our ThruText Support Center. Don’t see the answers you need? Send us a note.

Product Security by Design

As a software as a service company, we build security in by design. The security team works closely with the Product Development, Design, and QA team to ensure that security is always a top priority by:

  • Emphasizing clean, scalable, and testable code
  • Requiring all code changes go through multiple levels of peer review
  • Completing static code analysis checks for bugs and vulnerabilities
  • Reviewing every feature with a manual quality assurance effort
  • Making heavy use of automated unit testing

Layered Defense

Medieval castle designers understood the importance of a layered defense. We too understand the importance of using multiple safeguards to repel attackers and protect your data. Our security architecture includes:

  • The use of a highly scalable and secure DNS provider
  • Distributed Denial of Service (DDos) mitigation
  • Web Application Firewall (WAF)
  • Application data encryption while at rest and in transit
  • All traffic between components is encrypted in transit
  • Routine web vulnerability scans check for OWASP and other threats

In addition to the above, we employ a variety of other technologies including Network Intrusion Detection System (NIDS), Anomaly scanning, and Host vulnerability scanning.

Access Control

We keep the keys to the kingdom carefully locked away.

  • Utilizing role-based, least privileged access
  • Maintaining a formal Identity & Access Management system 
  • Requiring MFA for all privileged systems, such as GitHub & AWS
  • Enforcing strong audit logging and regular monitoring of access

Trust But Verify

Security is at the heart of GetThru’s company ethos and product stability. To ensure a strong foundation, we have in place a robust information security program for all employees.
All team members receive annual security awareness training and new hires receive a security orientation personalized to their role. In addition, the security team presents a monthly security brief in addition to posting regular and relevant security-related topics. Every employee reviews and agrees to follow security policies at least annually. We believe in "trust, but verify" and routinely audit policies for compliance.

We'll Be There For You

GetThru was born in the cloud and engineered to be highly reliable, fault-tolerant and scalable. We know that your tools are only as valuable as their uptime and we are proud to say ours is unparalleled. 

  • Our platform has sent more than 200 million messages and made more than 50 million dials
  • We've exceeded our goal of 99.9% uptime since launch
  • We utilize centralized error tracking, application performance monitoring (APM), and centralized log management to quickly squash bugs and platform issues
  • We regularly review and test our disaster recovery plans